Privacy Notice -
Customers and marketing

Respect for the privacy of the individual is important to us at Billogram (hereafter “Billogram”, “we”, “us”, “our”) and we work proactively to protect the personal data that we process. All personal data is processed in accordance with applicable law. This notice contains information about how we as data controller process personal data when you or your company are a customer of ours and use our service, as well as in our marketing and sales processes. We describe how and for what purposes we use your personal data, the lawful basis for the processing and what measures we take to protect personal data. We also describe how you can invoke your rights in regards to our processing of your personal data.

For information on how we manage cookies for our websites and services, see our Cookie policy.

Explanation of concepts

“Applicable Law” means the legislation applicable to the processing of personal data, including the General Data Protection Regulation (GDPR) (EU 2016/679), complementary national legislation and practices, guidelines and recommendations issued by national regulatory or EU supervisory bodies.

“Controller” is the company or organisation that decides for what purpose and in what way personal data is to be processed and which is responsible for the processing of personal data in accordance with applicable law.

“Data Subject” is an identified or identifiable natural person whose personal data is processed.

“Personal data” is any information that relates, directly or indirectly, to an identifiable natural person. 

“Processing” is an action or combination of actions relating to personal data, such as storage, alteration, reading, transmission, etc. 

“Processor” is the company or organisation that processes personal data on behalf of the controller in accordance with the controller’s instructions and applicable law.

“The service” is Billogram’s billing and payment service.

The definitions of the concepts above shall apply regardless of whether capitalised or not. 

General information about our personal data processing

We have an obligation to describe and provide evidence for how we meet the requirements imposed on us when we process your personal data. This section aims to describe general principles governing our personal data processing and to specify the personal data we process.

Lawful basis

In order to process personal data, the controller must have a lawful basis in applicable law for the processing. The lawful basis for our processing is as follows:

Consent – You have given your explicit consent that we may process your personal data. You may withdraw your consent at any time and we will cease processing your personal data for the purpose to which you have given your consent.

Contract – The processing is necessary for us to be able to perform a contract we have with you or to be able to enter into such a contract. 

Legal obligation – Processing of your personal data is necessary for us to meet the legal requirements imposed on us in our business operations. 

Legitimate interests – We have undertaken a legitimate interest assessment where we have determined that our interests in processing your personal data outweigh your right not to be covered by the processing.

How long do we store your personal data?

We only save your personal data for as long as is necessary for the purpose for which it was collected. Depending on the lawful basis in question, our processing may be governed by a contract, be dependent on valid consent, be prescribed by law or follow from an internal legitimate interest assessment. In the section “How your personal data is processed” below, we specify the criteria for when the purpose ceases and thus the time when we no longer process your data

When we share your personal data with others

We may share your personal data with others in order for us to perform any of the processing operations described in this document, for example for the storage of data. We always enter into Data processing agreements with the data processors we use, in which we, among other things, give the processor instructions on how the personal data may be processed and what security measures are required for the processing. The processor may not carry out any processing of your personal data that goes beyond these instructions.

If required by law, decree, regulation, government decision or other ruling binding on Billogram, we may disclose your personal data to various authorities, such as the Swedish Tax Agency or the Swedish Police Authority. 

Transfer of personal data outside the EU/EEA 

Where personal data is transferred to countries outside the EU/EEA, we implement safety measures to ensure that the level of security is adequate and in accordance with applicable law. Such appropriate safety measures include, inter alia, ensuring the following:

– The European Commission has decided that the third country to which your personal data is transferred achieves an adequate level of protection, meaning that the protection of your personal data is deemed to be equivalent to the requirements in the GDPR,or 

– The European Commission’s standard contractual clauses have been signed between Billogram or its processors, as applicable, and the recipient outside the EU/EEA, in other words that through agreements we have ensured that the protection of your personal data is equivalent to the requirements in the GDPR. In these cases, we also assess whether there is legislation in the recipient country that affects the protection of your personal data. Where necessary, we take special measures to ensure that the protection of your data remains in place when transferring it to the relevant country outside the EU/EEA.

Types of personal data

In this section we describe the types of personal data we process regarding customers, users of our service and in our marketing and sales process. Personal data we process only if your company constitutes a sole proprietorship is marked with *.

Contact and identification details: such as name, address, email address, telephone number, personal identity number, nationality and title.

Payment and billing information*: such as specification of the service you purchase from us, details of payment terms, current receivables or liabilities, OCR number and amount.

Bank details*: information on bank account numbers and bank or post office giro numbers. 

Case details: information about cases we handle, e.g. when you contact our customer support department or in the context of the investigations we sometimes need to carry out to fulfil the anti money laundering and terrorism financing regulations.

Communication information: the communication you have with us regarding our existing or future business relationship and the billing service we provide.

Device details: such as version of operating system, IP address or other unique identification of a computer, mobile phone or other device used to use the service.

Usage information: information about how you use our service or how you navigate on our website.

Information from sanction lists and PEP lists: Sanction lists and lists of persons constituting politically exposed persons (“PEP”) include information such as name, date of birth, place of birth, occupation or position, and the reason why the person is on the list in question.

How your personal data is processed

The sections below sets out how we are processing personal data for customers, users and in our marketing activities. In each section you find information on the personal data we process and for what purpose, where the data has been collected, the lawful basis for our processing, when the purpose of the processing ceases and, if possible and relevant, the basis for the assessment of the storage period (in brackets). 

Customers

This section describes our personal data processing applicable for you who represent a company which is a customer of ours, such as the contact person for our customer relationship, authorised signatory or a beneficial owner in accordance with anti money laundering and terrorism financing regulations. Personal data we are processing only if your business is a sole proprietorship is marked with *.

PurposePersonal data types we processSourceLawful basisWhen the purpose ceases
To provide customer service in accordance with the agreementContact and identification details, Communication informationFrom you or the company where you are employedContract1 year after the contract between your company and Billogram expires (the time we deem necessary to handle follow up on our customer relationship)
Case detailsBillogram
To protect Billogram from legal claims and exercise Billogram’s legal rightsContact and identification details,  Bank details*,  Communication informationFrom you or the company where you are employedLegitimate interest. Our legitimate interest is that we need to be able to protect ourselves from legal claims and exercise our rights10 years after termination of the contract in accordance with the current limitation period (Swedish Act on Limitation)
Payment and billing information*, Case detailsBillogram
To compile bookkeeping and accounting data in accordance with accounting laws, as well as the retention of such data in accordance with applicable lawContact and identification details,  Bank details*From you or the company where you are employedLegal obligation (Swedish Bookkeeping Act)7 years after the end of the calendar year in which the data was recorded (Swedish Bookkeeping Act)
Payment and billing information*Billogram
To fulfil our obligations on preventing money laundering and terrorism financingContact and identification detailsFrom you or the company where you are employedLegal obligation (Act on measures against money laundering and terrorist financing)10 years after termination of the contract (Swedish Anti money laundering legislations)
Information from sanction lists and PEP listsExternal sources
Usage information, Case detailsBillogram
To manage complaintsContact and identification details, Communication informationFrom youContract, Legal obligation (The Swedish Payment Services Act)2 years after the complaint has been handled (the time we deem necessary to be able to follow up on incoming compliants)
Payment and billing information*,  Case detailsBillogram

User

This section describes our personal data processing for you who are a registered user of our service.

PurposePersonal data types we processSourceLawful basisWhen the purpose ceases
To provide billing service to you as a userContact and identification detailsFrom you or the company where you are employedContractWhen you are deregistered as a user of our service
To ensure functionality and security of the billing serviceDevice detailsFrom your deviceContract, Legitimate interest. Our legitimate interest is that we need to ensure that our service is not used for fraudulent purposesWhen you are deregistered as a user of our service
Contact and identification detailsFrom you or the company where you are employed3 years after a specific case has been registered in our service (the time we deem necessary to be able to troubleshoot registered errands)
Usage informationBillogram
To provide support regarding our billing serviceContact and identification details,  Communication informationFrom youContract2 years after the end of the calendar year in which the errand was handled (the time we deem necessary to be able to follow up on incoming errands)
Case detailsBillogram

Marketing

This section describes our personal data processing for you who visit our website or are a contact person for a company which we have a marketing contact with.

PurposePersonal data types we processSourceLawful basisWhen the purpose ceases
To promote our billing serviceContact and identification detailsFrom you, your company or external sources, such as corporate websites and social mediaLegitimate interest. 2 years after we are no longer in contact for sales or marketing purposes, or when you withdraw your consent
Communication informationFrom you
Usage information (navigation on our website)BillogramConsentWhen you withdraw your consent

Recipients we share your personal data with

Sometimes we need to share your personal data with others to fulfil the purposes described above. In the table below, we indicate the data processors we may share your personal data with.

Data processor Instruction (application area)
Amazon Web Services (AWS)Storage and communication
Atlassian (Jira)Case and project management
GoogleStorage and communication
SalesforceCustomer relationship management
The Rocket Science Group (Mailchimp)Communication
Softronic (CM1)System for anti money laundering and counter terrorism financing measures
ZendeskCRM system

Your rights

According to applicable law, you as a data subject have several rights that you should be aware of.

– You have the right to request a record extract of the information recorded about you. 

– If the data we hold on you is incorrect, you have the right to have it corrected.

– You have the right to have your personal data deleted provided that we do not have to process it for the purposes for which it was collected, for example to perform a contract we have with you or where we have a legal obligation to continue processing the data.

– If you believe that the data is incorrect or that our processing is unlawful or that we do not need the data for a specific purpose, you may request that we restrict the processing of data about you. You can also request restriction of processing while awaiting verification from us as to whether our interest in processing your data outweighs your right not to have this data processed.

– The right to data portability means that in some cases where the lawful basis is a contract or consent, you have the right to receive your personal data and use your personal data elsewhere.

– If we indicate legitimate interest as a lawful basis, you have the right to object to the processing.

Contact details and Data Protection Officer

Personal data controller is Billogram AB which is registered with the Swedish Companies Registration Office under corporate registration number 556801-7155 and is headquartered at Klara Södra Kyrkogata 1, SE-111 52 Stockholm, Sweden.

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com.

You can also contact our Data Protection Officer by email: dpo@billogram.com or by post at the above address.

Complaints

If you believe that the processing of your personal data is in violation of Applicable Law, you should contact us. You can also contact the Swedish Authority for Privacy Protection directly with your complaint.

Privacy notice updates

This privacy notice may be updated due to changes in legislation or changes in our personal data processing as a result of the development of our services.

The latest version is always published here on our website.

This version was updated on 2023-09-15.